How to document PCI DSS-compliant policies and procedures

Technology can only do so much to protect an organisation from data breaches. That’s why Requirement 12 of the PCI DSS (Payment Card Industry Data Security Standard) instructs organisations to implement policies and procedures to help staff manage risks. Employees introduce many risks into businesses that technology simply can’t prevent. Misconfigured databases, email attachments sent to the wrong person and records that are improperly disposed are common examples the ways staff compromise information. These are the kinds of risks that a PCI DSS policy can help prevent.

What you should include in a PCI DSS policy

A PCI DSS policy is a collection of written procedures and guides that state how an organisation manages its CDE (cardholder data environment). To achieve PCI compliance, your security policy must address:
  • Information security
This policy details the organisation’s security strategy regarding how to store, process or transmit cardholder information. It provides a detailed outline of information security responsibilities for all staff, contractors, partners and third parties that access the CDE. The document should also summarise your approach to the PCI DSS’s control objectives. Specifically, you should address how you will build and maintain secure networks, protect cardholder’s information (with encryption playing a central role), maintain a vulnerability management programme, restrict access for unauthorised persons and monitor your networks.
  • Formal security awareness
Requirement 12.6 of the PCI DSS states that all employees with access to the CDE must receive training on how to manage their compliance requirements. You should therefore set out a formal process that outlines your approach to staff awareness. Training courses should explain what the PCI DSS is, why its requirements are necessary and how employees can meet their obligations. This should include things such as encryption, password management and how to process or transmit cardholder data. The aim of these courses shouldn’t just be to impart knowledge but to reinforce good security habits. When training is repeated often enough – we’d recommend annually or whenever you experience a security incident – employees will know intuitively what to do and how to avoid costly mistakes.
  • Incident response
Requirement 12.10 of the PCI DSS states that organisations must have an incident response plan, which they can enact in the event of a security breach. Your plan should outline the key roles and responsibilities when it comes to detecting and responding to a data breach. Although it might seem like locking the door after the horse has bolted, organisations that are able to spot an intrusion promptly and take action to rectify the situation have been proven to suffer much less damage – both financially and reputationally – compared to those who don’t have a plan. A significant aspect of your incident response plan will cover your notification requirements. Depending on the nature of the breach, you might be required to inform law enforcement, third-party organisations and affected customers.

A new version of the PCI DSS was published in 2022 is taking effect in March 2023, giving organisations two years to transition to the new requirements.

You can learn more about these changes by reading our blog: PCI DSS v4.0. What Does it Mean for You?

Fast-track your documentation process

Policies and procedures only work if they are regularly reviewed and updated to ensure they work as intended. This can be time-consuming and challenging, so we’ve created our PCI DSS Documentation Toolkit to simplify the job. This toolkit includes all the template documents you need to ensure complete coverage of your PCI DSS requirements. Below is an example of one of the customisable templates in our Documentation Toolkit:Screenshot of one of our PCI DSS template documents

As with all templates in this toolkit, we’ve provided all the necessary information.

All you need do is fill in the sections that are relevant to your organisation. The toolkit also contains a document checker to help you select and edit the appropriate policy, so that you can create and amend documents as needs arise. The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario. It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant with the Standard. Find out more
A version of this blog was originally published on 13 November 2017.

About The Author

Luke Irwin

Luke Irwin is a former writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.